[Samba] Samba 4 LDAP NTLM password nightly injection

Luc Lalonde luc.lalonde at polymtl.ca
Tue Mar 26 09:10:43 MDT 2013 

Hello Andrew,

I'm finally diving into this project...

First off, my sysadmin stuff is mostly in Perl.  So my Python is rudimentary at best.

Here we go anyway...  I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database.

In the script I see these lines:

#######################################################
# Connect to samba4 backend
s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
########################################################

I would appreciate a hint on how to connect to the database please.  Where is the 'passdb' object referenced from?

Once that's done, from what I understand, I should be able to change the passwords directly:

#######################################################
# Change foo-user password
admin_userdata = s4_passdb.getsampwnam("foo-user")
admin_userdata.nt_passwd = "878D8014606CDA29677A44EFA1353FC7"
admin_userdata.lanman_passwd = "552902031BEDE9EFAAD3B435B51404EE"
s4_passdb.update_sam_account(admin_userdata)
#######################################################

Is that right?

Cheers.

-- 
Luc Lalonde, analyste
---------------------------------------------------------------------
Département de génie informatique:
École polytechnique de Montréal
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
---------------------------------------------------------------------

----- Original Message -----
From: "Andrew Bartlett" <abartlet at samba.org>
To: "Luc Lalonde" <Luc.Lalonde at polymtl.ca>
Cc: samba at lists.samba.org
Sent: Tuesday, December 11, 2012 10:22:21 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection

On Tue, 2012-12-11 at 21:48 -0500, Luc Lalonde wrote:
> Hello Folks,
> 
> In pour present Samba-3 setup we update user passwords in our LDAP backend.  We only have access to the encrypted NTLM passwords and use Perl scripts to do this.
> 
> Beyond importing the user database with the 'Classic upgrade' method, will we be able to adapt our Perl scripts so that we can keep updating the internal Samba-4 database with the encrypted passwords as we did with Samba-3?
> 
> We've been using Samba for many years now and very much appreciate all the work done by the Samba team.  Congrats on getting Samba-4 to stable status!

Yes, you can continue to do that.  The best approach would be to set it
via the ldb python bindings, specifying the
DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control and unicodePwd, or via the
python or C passdb API.  

One approach you could code from is how we set the administrator
password during the 'classicupgrade' script in
source4/scripting/python/samba/upgrade.py.  

Give that a go, but if you need more clues I'm very happy to help out. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list